|
Lately, one of our clients has been getting adult spam every day that passes all tests except SPAMHEADERS and SPAMCHECK with a SPAMCHECK weight of 6, so it passes.
Looking through the source code in the body, the only pattern I found was that the example name changed every day but was always a legit example name prefixed by http_:_//_links_2.1 without the underscores. They are registering example names exactly like legit ones but they all have 1 in front, like 1example.com and 1msn.com and so forth.
What I have done then is added to my grayfilter the following line:
BODY 50 CONTAINS http_:_//_links_2.1 (without the underscores)
Anybody think of a better way to catch things like this?
Here is the full body source, innocent protected: (underscores added)
##################################################### <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> </head> <body link="#0000FF" vlink="#0000FF" alink="#0000FF"> <script language="_javascript_"> <!-- function MM_openBrWindow(theURL,winName,features) { //v2.0 window.open(theURL,winName,features); } //--> </script> <div align="center"> <p><a href="" target="_blank"> <img src="" width="600" height="434" border="0"></a></p> </div> <div align="center"> <p><a href=""> <img src="" width="398" height="47" border="0"></a></p> </div> <img src="" width="1" height="1"> </body> </html> ####################################################
John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com
|
